There’s been a lot of discussion recently regarding social media and data privacy. While Facebook™, Twitter™, LinkedIn™, and other social media giants can roll out security upgrades to their platforms and commit to ensuring data privacy, at the end of the day, the information your organization shares on social media can ultimately put your company at risk.
This blog will look at some common risk scenarios, how hackers may be targeting you through these platforms, and what you can do to continue sharing relevant information with your audiences, while doing your best to keep your business protected.
Social Media: Today’s New Hub for Cyber Villains.
First it was websites. Then it was email. Now, social media channels have become one of the latest gateways for cybercriminals. It’s a bottom-up strategy that targets employees who post to social accounts as points of entry into employers.
Because of the business information it incorporates, LinkedIn is an especially valuable tool for hacking individuals’ company email addresses and infiltrating organizations. Something as simple as a public post announcing that you attended a leadership conference can be used to craft a targeted phishing email containing a malicious link to malware-infected sites, ransomware, and more.
It’s more than just email addresses that open the floodgates. When social media users neglect their privacy settings or publicly post personal notes and photos, they make it possible for cybercriminals to use that information to launch malicious campaigns camouflaged with enticing offers, such as free merchandise in exchange for completing and forwarding a survey, discounts on items relevant to the post, and more. This psychological manipulation of people into performing actions or divulging confidential information is known as “social engineering”—and is a highly effective way of exploiting social media to gather intelligence and gain access into a network.
No platform is immune. Hackers have used Facebook Chat to spread malware, promote phishing applications, and steal information using social engineering techniques. Twitter has been subject to scams featuring links to free vouchers. LinkedIn has suffered redirects to a webpage that installs a variant of the ZBot malware known as Zeus.
It’s no surprise, then, to learn that social media ranks as the No. 1 channel of perceived compliance risk and that more than 1 in 8 enterprises has suffered security breaches related to a social media cyberevent.
How Are Cybercriminals Closing In?
The process used by cybercriminals to infiltrate a network is known as the “Cyber Kill Chain.”
The first step in the Cyber Kill Chain is reconnaissance, also known as “open-source intelligence” (OSINT). In this phase, threat actors gather as much information as possible to weaponize whatever tools or platforms they’re working with. The more information they have, the better chance they have of succeeding. For example:
- Anyone can go to LinkedIn right now, search a company and get a list of most employees at that company. Using a known email from someone at that company, it’s relatively easy to extrapolate all the other individuals’ email addresses since most companies use a standard format for email addresses (such as firstname.lastname@example.org). This makes it easy to carry out phishing attempts against numerous employees of the organization.
- If someone from the company posts that they’re loving the new McAfee™ Antivirus, hackers now know what countermeasures they need to evade.
- Likewise, if an employee posts about the company’s installation of the newest Windows™ operating system, a threat actor now knows what OS vulnerabilities to exploit.
It’s important to remember that your company’s partners and service providers are also potential weak links, especially if their platforms are integrated into your network. Anyone can see who follows or interacts with you on social media, and they can then start hacking them. If their security network is weaker than yours, threat actors are likely to go after your partners in order to gain a foothold in your environment.
The Steps to Take
Forget about enforcing company-wide bans on social media. Employees are going to continue connecting through online communities, for good or for bad.
Instead, create a “social media mission” for your company, and then enforce a security-aware culture by following these steps.
Step 1: Educate your employees on social media’s potential risks to a company.
Step 2: Place limits on what kind, and how much, information they can share on social media. Do not allow intra-company communication via social media. Stress to your team that conversations between coworkers should take place on your secure, confidential communication channels.
Step 3: Strongly discourage employees from linking their personal social media accounts to the company’s accounts.
Step 4: If that’s unavoidable (think: LinkedIn), educate them on social media security basics. Instruct them on the available privacy settings on the various platforms and how to implement them into their accounts. (Facebook recently made it much easier for people to implement more intense privacy settings on previous posts). As part of your security program, implement two-factor authentication on social media.
Step 5: Store the passwords to all of your company’s corporate social media accounts in a shared password manager. Employees should not be able to set their own (inevitably too-simple) passwords to corporate accounts. A password manager, such as LastPass, can help generate strong passwords and also keep them secure. Even strong passwords, however, should be changed frequently.
Step 6: Instead of using a shared password, implement single sign-on technology that allows social media administrators to transparently login to relevant sites without knowing the shared password. That will help protect your social media account when new people join or leave the company.
Step 7: Emphasize the importance of not inherently trusting everyone we meet on social media: Encourage employees to refuse friend requests from people they don’t know. Likewise, if an inviting “potential customer” contacts the company via social media, direct them to speak with a company representative off of social media—such as a customer service portal or calling a help desk.
Step 8: Above all, urge employees to resist clicking on suspicious links.
Want to Enhance Your Cybersecurity? Then “Like” This.
Social media isn’t going away. In fact, it will probably become even more ubiquitous as each day goes by. Furthermore, there’s an inherent trust that comes with social media platforms. If you break that trust with those you’re connected to on these platforms, leaving a trail of virtual bread crumbs into your company’s network for cybercriminals, it’s hard to gain trust back. However, when it’s all said and done, you still hold the keys to your enterprise security. So use them with confidence, determination, and vigilance. It can take a long time for companies to forge a persona of trust and reliability in the minds of customers, partners, investors, and suppliers. But it just takes a click to throw it all away.